Researcher publishes proof-of-concept code for creating Facebook worm

A Polish security researcher has published today details and proof-of-concept code that could be used for creating a fully functional Facebook worm.

This code exploits a vulnerability in the Facebook platform that the researcher –who goes online under the pseudonym of Lasq— has seen being abused in the wild by a Facebook spammer group.

The vulnerability resides in the mobile version of the Facebook sharing dialog/popup. The desktop version is not affected.

Lasq says that a clickjacking vulnerability exists in this mobile sharing dialog that an attacker can exploit through iframe elements. The spammer group who appears to have found this issue before Lasq has been (ab)using this vulnerability to post links on people’s Facebook walls.

So, yesterday there was this very annoying SPAM campaign on Facebook, where a lot of my friends published a link to what seemed like a site hosted on AWS bucket. It was some link to a french site with funny comics, who wouldn’t click it right?

After you clicked on the link, the site hosted on AWS bucket appeared. It asked you to verify if you are 16 or older (in French) in order to access the restricted content. After you clicked on the button, you were indeed redirected to a page with funny comic (and a lot of ads). However in the meantime the same link you just clicked appeared on your Facebook wall.

The researcher said he tracked down the issue at the heart of this problem to Facebook ignoring the “X-Frame-Options” security header for the mobile sharing dialog. According to the industry-approved MDN web docs, this header is used by sites to prevent their code from being loaded inside iframes, and is a primary protection against clickjacking attacks.

Lasq said he reported the issue to Facebook, but the company declined to patch it.

“As expected Facebook declined the issue, despite me trying to underline that this has security implications,” he said. “They stated that for the clickjacking to be considered a security issue, it must allow attacker to somehow change the state of the account (so for example disable security options, or remove the account).”

“In my opinion they should fix this,” the researcher added. “As you can see this ‘feature’ can be extremely easily abused by an attacker to trick Facebook users to unwillingly share something on their wall. I cannot stress enough how dangerous this is. This time it was only exploited to spread spam, but I can easily think of much more sophisticated usage of this technique.”

The researcher argues that this technique allows threat actors to easily concoct self-propagating messages that spread malware or phishing sites.

Contacted by ZDNet, Facebook played down the issue, as they did with Lasq.

“We appreciate the researcher’s report and the time he put into working on this,” said a Facebook spokesperson. “We built the current ability for the mobile social plugin/share dialog to be iframed to enable people to have integrated Facebook sharing experiences on 3rd party websites.”

“To help prevent abuse, we use clickjacking detection systems for any iframeable plugin product. We continuously improve these systems based on signals we observe,” Facebook told us. “Independently of this report, earlier this week we made improvements to our clickjacking detections that mitigate the risks described in the researcher’s report.”

Side note: Lasq’s code doesn’t include the clickjacking part, the one that posts content on people’s walls, but a simple internet search would provide any bad actor with the details and sample code to build that part and add it to the current PoC. Lasq’s code only allows an attacker to load and run unauthorized code from an attacker on a Facebook user’s account.